I have one CISCO SG-300-52 switch in Layer3 mode, and 3 SG-300-52 in Layer 2 mode. Currently they all connected together with Spanning tree loops using link aggregation. I am running 192.168.0.0/16 subnet on this setup. There is Gentoo DHCP server allocating IP addr to all clients (Fixed DHCP based on MAC). Everything works perfectly in this Layer2 network.

I want to setup few VLANs across the network, since I want to separate subnets traffic from each other for security reasons. My question:

Is it possible to separate VLANS from each other, but in same time have all VLANs to be able to communicate with my Gentoo server (on any ports). Also I want to have few admin computers to be able to communicate with any device in any VLAN. Basically I can summarize it as:

VLAN10 - "admin" VLAN. Contains server and admin computers - can talk to any device in the network.

VLAN 20 - "regular" VLAN. Contains devices that should not be able to talk to any other VLAN.

VLAN 30 - "regular" VLAN. Contains devices that should not be able to talk to any other VLAN.

i would like also to make one VLAN with very strict security and not allow devices within particular VLAN even talk to each other - only with "admin" VLAN.

And in same time I want to keep my Gentoo server as DHCP server -> so all clients should be getting IP addr from my server.

1 Answer
1

You can (each with a different IP address), attach it to a switch port configured as "trunk" (with the three VLANs you've identified as "allowed" on the port), and the server computer will be able to communicate with clients in each VLAN. Be sure that you don't enable IP forwarding on the Linux machine if you don't want it to route packets between the VLANs on behalf of clients in the VLANs.

VLAN interfaces act as virtual network interfaces. The server will, for all intents and purposes, act as though it has three network interfaces instead of one.